Heartbleed Bug Vulnerability

Heartbleed Bug: Flaw in OpenSSL versions 1.0.1 through 1.0.1f and 1.0.2-beta1

On April 7, 2014, the Heartbleed bug was revealed to the Internet community. The Heartbleed bug is not a flaw in the SSL or TLS protocols; rather, it is a flaw in the OpenSSL implementation of the TLS/DTLS heartbeat functionality. The Heartbleed Bug allows an attacker to gain access to sensitive information that is normally protected by the SSL and TLS protocols without leaving a trace.

This only affects you if you are running OpenSSL versions 1.0.1 through 1.0.1f and 1.0.2-beta1, or if you are running software that is using affected versions of the OpenSSL library.

The steps to secure your environment against the Heartbleed Bug vulnerability must be done in the following order. For example, you must not do step six (reset passwords) before you have completed steps 1 – 5, or else your reset passwords may still be exposed.

1. Detect if you are vulnerable to the Heartbleed Bug attack.

   • For fast checking

     If you only have a few public facing servers to check, use our SSL Server Checker

   • For thorough checking

     Use DigiCert Discovery to detect if you are vulnerable to the Heartbleed Bug attack.

   If you are vulnerable to a Heartbleed Bug attack (i.e. you have servers running a vulnerable version of OpenSSL or software that is using an OpenSSL library with the Heartbleed Bug in it), you should take the following actions as soon as possible to mitigate any possible damages.

2. Patch your software.

   When securing your environment against the Heartbleed Bug, you need to patch OpenSSL on servers that are running vulnerable versions of OpenSSL, and you need to patch software that is using affected versions of the OpenSSL library. To secure your affected servers and software from the Heartbleed Bug vulnerability, take the appropriate actions to patch your servers/software:

   • Upgrade to the latest version of OpenSSL (version 1.0.1g or later).

     Servers

     Check your package manager for an updated OpenSSL package and install it. If you do not have an updated OpenSSL package, contact your Service Provider to obtain the latest version of OpenSSL and install it.

     Software

     Check for software patches that have been released to fix the Heartbleed Bug vulnerability and install them. If you do not have software patches, contact your software vendor to obtain the latest patch and install it.

     Note: You may need to restart software after it is patched to make sure the OpenSSL library is reset and that the Heartbleed Bug is removed from cached memory.

   • Rollback to OpenSSL version 1.0.0 or earlier.

   • Recompile OpenSSL on your servers with the OPENSSL_NO_HEARTBEATS flag.

3. Verify that your Heartbleed Bug vulnerabilities are patched.

   • For thorough checking

     To scan your internal networks or multiple servers, use DigiCert Discovery to rescan your environment to make sure that you are no longer vulnerable to the Heartbleed Bug attack.

   • For fast checking

     If you only have a few public facing servers to check, use our SSL Server Checker

4. Rekey, reissue, and install your certificates.

   • You need to rekey and reissue all the certificates on your affected servers.

     When reissuing certificates, make sure that you generate new Certificate Signing Requests (CSR).

     For DigiCert customers, see Reissuing a DigiCert® SSL Certificate.

   • Then, after servers and software are patched and only after they are patched, install your reissued certificates.

5. Revoke replaced certificates.

   After installing your reissued certificates, you need to revoke the certificates that were replaced. To get your certificate revoked, contact your Certificate Authority.

   For DigiCert customers, do the following:

   To have your certificate revoked, email support at support@digicert.com. Make sure to include your certificate's order number and a brief description of what you want revoked.

6. Reset passwords.

   If your servers accept passwords, you should also have your clients reset their passwords, but only after servers and software are patched and certificates are rekeyed, reissued, installed, and revoked.

   Note: If clients reset their passwords before servers/software are patched and certificates are rekeyed, reissued, installed, and revoked, then their passwords were still exposed, and they must reset their passwords again.

   To join the conversation and get more information about the Heartbleed bug, see our blog at Heartbleed Openssl Fix/